Lightweight Directory Access protocol (LDAP) is a protocol used for looking up information from a directory server via a TCP/IP connection. Information that is often maintained on an LDAP directory server includes by way of example only and not by way of limitation email address and mail routing information, public security keys, contact lists, encryption certificates, pointers to printers and other services on a network, and the like. One of the primary purposes of an LDAP directory server is to provide centralized data management for a large, and often distributed, organization.
There are problems with managing trust relationships between the client and the directory server. Client and directory servers need to recognize each other or data can fall into the wrong hands. The trust issues are largely handled through public key infrastructure and password-based authentication in many instances. Deployments are usually fairly localized, so sharing of trust information regarding servers can be shared locally.
LDAPI (LDAP over a trusted domain socket, e.g., UNIX) is a way for a client to communicate with a server using a different transport mechanism. Instead of communicating over the internet, communication is all performed locally, that is, all communication is contained within an operating system instance. In LDAPI, the security domain and all trusts are localized. There is inherent trust between server and client, since both server and client exist on the same OS instance, and therefore trust is by definition. The complexities of setup are reduced. Authentication credentials can pre-exist, for example being set up in one place and being trusted locally. The ability to identify the server is made easier. The OS instance has the client and the server existing within one computer. A computer may have more than one OS inside it, but an LDAPI trust domain is limited to one OS instance.
The LDAPI transport mechanism has addressed the challenges of client and server authentication by only allowing communication between a client and server that exist on the same OS instance. In this situation, both the client and server are running inside an OS session. This OS session has an identity associated with it, which was authenticated before the OS session was created. When using LDAPI the LDAP client knows that the server is valid because the OS has protections that allow only a trusted administrator to set up an LDAPI socket. The directory server can discover the identity of the client by using an OS socket mechanism that identifies the client at the other end of the socket.
When the identity of the parties is known and managed by the OS, management and protection of the identity credentials is limited to the OS instance instead of all parties. Thus the cost of management is greatly reduced when LDAPI is used. In addition to intrinsic authentication, since messages between the LDAP client and LDAP server never leave the OS instance, both parties know that data sent between the client and server are not vulnerable to network eavesdropping when LDAPI is used.
The limitations of LDAPI eliminate some problems, but also limit the ability of LDAPI to be used except in very specialized circumstances, since it requires both the client and server exist in the same OS instance.